b'             September 10, 2002\n\n             MEMORANDUM\n\n             FOR:             M/AS, Roberto J. Miranda\n\n             FROM:            IG/A/ITSA, Melinda G. Dempsey /s/\n\n             SUBJECT:         Risk Assessment of Major Functions Within the\n                              Consolidation, Property and Services Division of the Office\n                              of Administrative Services, Bureau for Management\n                              (Report No. A-000-02-002-S)\n\n             This memorandum is our report on the subject risk assessment. Although\n             this is not an audit report, this report contains a suggestion for your\n             consideration. We have reviewed your comments, and they are included as\n             Appendix II. I appreciate the cooperation and courtesy extended to my staff\n             during the risk assessment.\n\n\nBackground   The Office of Administrative Services, Bureau for Management, (M/AS)\n             provides logistical support services and administrative services worldwide\n             and is responsible for functions costing approximately $40 million annually.\n             It is comprised of the Office of the Director1 and four divisions:\n\n             \xe2\x80\xa2   Consolidation, Property and Services Division,\n             \xe2\x80\xa2   Information and Records Division,2\n             \xe2\x80\xa2   Overseas Management Support Division,3 and\n             \xe2\x80\xa2   Travel and Transportation Division.4\n\n             During the past decade, the Office of Inspector General has performed few\n             audits of the Office of Administrative Services\xe2\x80\x99 functions. In addition, the\n\n             1\n               See risk assessment Report No. A-000-02-001-S.\n             2\n               See risk assessment Report No. A-000-02-003-S.\n             3\n               See risk assessment Report No. A-000-02-004-S.\n             4\n               See risk assessment Report No. A-000-02-005-S.\n\n                                                                                    Page 1 of 10\n\x0cOffice of Administrative Services has received limited external reviews and\nevaluations from other sources. Given the lack of external independent\nreviews, including audits, we performed risk assessments of the major\nfunctions of the Consolidation, Property and Services Division of the Office\nof Administrative Services.\n\nThe General Accounting Office\xe2\x80\x99s \xe2\x80\x9cStandards for Internal Control in the\nFederal Government\xe2\x80\x9d (November 1999) note that internal controls should\nprovide reasonable assurance that agency objectives are being achieved,\noperations are effective and efficient, and assets are safeguarded against loss.\nInternal controls consist of the following five interrelated components.\nThese components are the minimum level for internal control and provide\nthe basis against which internal control is to be evaluated.\n\n1. Management and employees should establish and maintain a control\n   environment throughout the agency that sets a positive and supportive\n   attitude toward internal control and conscientious management.\n2. Internal control should provide for a risk assessment of the risks the\n   agency faces from both external and internal sources.\n3. Internal control activities should be effective and efficient in\n   accomplishing the agency\xe2\x80\x99s control objectives and help ensure that\n   management\xe2\x80\x99s directives are carried out.\n4. Information should be recorded and communicated to management and\n   others within the agency who need it and in a form and within a time\n   frame that enables them to carry out their internal control and other\n   responsibilities.\n5. Internal control monitoring should assess the quality of performance over\n   time and ensure that the findings of audits and other reviews are\n   promptly resolved.\n\nThis review focused on the second component\xe2\x80\x94risk assessment. The GAO\nStandards note that the specific risk analysis methodology used can vary\nbecause of differences in agencies\xe2\x80\x99 missions and the difficulty in\nqualitatively and quantitatively assigning risk levels. This review assigned a\nrisk exposure of high, moderate, or low for each major function. A higher\nrisk exposure simply indicates that the particular function is more vulnerable\nto its program objectives not being achieved or irregularities occurring.\nAppendix I describes in detail our risk assessment scope and methodology.\n\n\n\n\n                                                                         Page 2 of 10\n\x0cDiscussion   The Consolidation, Property and Services Division of the Office of\n             Administrative Services, Bureau for Management, (M/AS) is responsible\n             for the following seven major functions.5 Our assessments of the risk\n             exposure for each of these major functions are described below.\n\n                             Function Description                                Risk Exposure\n                 Facilities operations and maintenance in the\n                 Ronald Reagan Building and warehouses                       Low\n                                         Risk Assessment Factors\n                 \xe2\x80\xa2 The General Services Administration (GSA) provides services under\n                    the building occupancy rental agreement with USAID. These costs\n                    are not separately identified under the occupancy agreement. Two\n                    USAID staff members are responsible for the management of the\n                    facilities operations and maintenance function.\n                 \xe2\x80\xa2 Contracts, other than the building occupancy agreement, are\n                    relatively small. For example, the icebox maintenance contract is\n                    $1,700 and taken from the GSA approved schedule.\n                 \xe2\x80\xa2 The USAID staff members both have extensive experience\xe2\x80\x9422\n                    years and 9 years.\n                 \xe2\x80\xa2 The process for notifying GSA of a service request is manual. GSA\n                    provides weekly reports of service requests and their status. USAID\n                    does not maintain its own summary log of service requests. No\n                    on-line tracking mechanism is set up to allow USAID to log requests\n                    and/or monitor status.\n                 \xe2\x80\xa2 The Automated Directives System (ADS) 519 was just issued to\n                    update obsolete requirements.\n                 \xe2\x80\xa2 GSA conducts annual building inspections.\n\n\n\n\n             5\n               Our risk assessments only covered major functions. In addition to major functions described\n             in this report, the Consolidation, Property and Services Division also is responsible for motor\n             pool and coordination of art work.\n                                                                                                 Page 3 of 10\n\x0c           Function Description                       Risk Exposure\nMail management                                           Moderate\n                        Risk Assessment Factors\n\xe2\x80\xa2 Sensitivity is high because the mailroom handles both classified and\n   unclassified material.\n\xe2\x80\xa2 Mail service is entirely contracted out with one USAID staff person\n   overseeing the $485,000 contract. Two additional contracts are used\n   for domestic ($22,500) and international ($36,000) couriers.\n\xe2\x80\xa2 No recent reviews of mail management have been conducted.\n\xe2\x80\xa2 The current contract expires at the end of September 2002. The\n   current contractor and its employees have been employed since\n   1997. Potential changes in the contractor and employees could lead\n   to additional training, adjustments, and unforeseen issues.\n\xe2\x80\xa2 The USAID staff person in charge of mail management oversees the\n   mail contract. The staff person has attended contract administration\n   training as well as training on computer programs and customer\n   service.\n\xe2\x80\xa2 The ADS Directive is up-to-date, but job description is out of date.\n\n            Function Description                       Risk Exposure\nManagement of equipment and furniture in\nthe Ronald Reagan Building and warehouses                    High\n                       Risk Assessment Factors\n\xe2\x80\xa2 Two staff persons manage the acquisition, receiving, movement and\n    disposal of equipment and furniture\xe2\x80\x94chairs, tables, file cabinets, etc.\n    The equipment and furniture does not include automated equipment\n    such as computers, fax machines, printers, photocopiers, and\n    telephones.\n\xe2\x80\xa2 The first wall-to-wall inventory was conducted during the summer of\n    2001. Location and tracking numbers were given to 15,000 items.\n    However, dollar values are not yet assigned to the individual items.\n    Items were entered into the inventory via bar codes from a hand-held\n    scanner. Items are added and deleted manually because the loading\n    dock does not have scanners when an item is delivered or disposed.\n    Due to this manual process, the inventory is not maintained real-time.\n\xe2\x80\xa2 Items are also stored at the USAID Capitol Heights warehouse, with\n    8,800 square feet. Space is underutilized due to efforts to dispose of\n    unneeded items. Items are included in the overall inventory noted\n    above. However, no distinct inventory is maintained for the warehouse\n    even though new office furniture is stored in the warehouse.\n\xe2\x80\xa2 Segregation of duties appears to be adequate.\n\xe2\x80\xa2 The ADS Directive (ADS 518) was just issued to update obsolete\n    requirements.\n\n\n                                                                  Page 4 of 10\n\x0c           Function Description                        Risk Exposure\nMetro transit subsidy program                               Low\n                        Risk Assessment Factors\n\xe2\x80\xa2 The Office has approximately an annual $1 million contract with the\n   Transportation Administrative Service Center (TASC) of the\n   Department of Transportation to distribute Metrocheks within\n   USAID.\n\xe2\x80\xa2 TASC distributes Metrocheks 3 days each month to about 1,000\n   USAID employees.\n\xe2\x80\xa2 A USAID Inspector General audit of the Metrochek program in\n   1999 revealed a breakdown of internal controls and led to the TASC\n   contract.\n\xe2\x80\xa2 Approximately 50 percent of one staff person\xe2\x80\x99s time is used to\n   handle Metrochek issues with some help from an administrative\n   assistant.\n\xe2\x80\xa2 The Metrochek staff person has proactively looked for ways to make\n   the process more efficient such as the SmartBenefits option offered\n   by the Washington Metropolitan Area Transit Authority.\n\xe2\x80\xa2 Applications for Metrocheks are screened for eligibility based on\n   employment status and not concurrently receiving parking subsidies.\n\xe2\x80\xa2 TASC provides monthly reports with employee names and the\n   amounts of their Metrocheks.\n\xe2\x80\xa2 The Metrochek staff person also keeps a database. However, it is on\n   a hard drive that is not backed up on a regular basis. In addition, the\n   database is overwritten with new data and thus can not be used for\n   historical purposes.\n\n\n           Function Description                        Risk Exposure\nPhotocopiers in the Ronald Reagan Building                  High\n                       Risk Assessment Factors\n\xe2\x80\xa2 The USAID Inspector General has conducted an audit of the\n   photocopier program. Fieldwork is complete and the final report is\n   soon to be issued (Report No. A-000-02-004-P).\n\xe2\x80\xa2 The photocopier program uses three manufacturers to supply about\n   125 photocopying machines.\n\xe2\x80\xa2 The audit findings show that USAID can save at least $400,000\n   annually.\n\xe2\x80\xa2 The audit findings also show that inventory was not maintained and\n   procedures were not documented resulting in a variety of\n   inefficiencies including the underutilization of machines.\n\n\n\n                                                                   Page 5 of 10\n\x0c            Function Description                         Risk Exposure\nPrinting and graphic services in the Ronald\nReagan Building                                             Moderate\n                         Risk Assessment Factors\n\xe2\x80\xa2 The USAID Inspector General recently issued on March 22, 2002 an\n    audit report of the printing and graphics services in the Ronald\n    Reagan Building. (Audit Report No. A-000-02-002-P)\n\xe2\x80\xa2 The audit findings show that monitoring and measuring systems\n    were inadequate or non-existent and that basic internal controls were\n    lacking.\n\xe2\x80\xa2 The Office of Administrative Services agreed with the report, is\n    planning to implement the one report recommendation, and has\n    already started corrective actions.\n\n\n           Function Description                         Risk Exposure\nSpace management in the Ronald Reagan\nBuilding                                                     Low\n                        Risk Assessment Factors\n\xe2\x80\xa2 Function incorporates policy for managing space and the\n   determination of space usage. An architect manages this function\n   with a staff assistant. The architect has 12 years of experience in\n   this function.\n\xe2\x80\xa2 Sensitivity is low.\n\xe2\x80\xa2 Outside contractors are occasionally used for planning and redesign\n   projects.\n\xe2\x80\xa2 The ADS Directive (ADS 519) was just issued to update obsolete\n   requirements.\n\n\n\n\n                                                                  Page 6 of 10\n\x0cConclusion   Our risk assessments of the Consolidation, Property and Services Division of\n             the Office of Administrative Services, Bureau for Management, (M/AS)\n             covered seven functions and reached the following conclusions.\n\n                                                                   Risk Exposure\n                           Function Description                High    Moderate         Low\n                 Facilities operations and maintenance\n                 in the Ronald Reagan Building and                                     !\n                 warehouses\n                 Mail management\n                                                                            !\n                 Management of equipment and\n                 furniture in the Ronald Reagan                 !\n                 Building and warehouses\n                 Metro transit subsidy program\n                                                                                       !\n                 Photocopiers in the Ronald Reagan\n                 Building                                       !\n                 Printing and graphics services in the\n                 Ronald Reagan Building                                     !\n                 Space management in the Ronald\n                 Reagan Building                                                       !\n             Based on these assessments, we suggest that the Office of Administrative\n             Services focus its efforts to mitigate the higher risk associated with the\n             functions of management of equipment and furniture and photocopier\n             management. Because the Inspector General has issued (or will soon issue)\n             audit reports with recommendations, we are not making any suggestions in\n             regard to printing and graphic services and photocopier management. In\n             regard to management of equipment and furniture, we suggest that the Office:\n\n             \xe2\x80\xa2    prepare and maintain a periodically updated, distinct inventory for the\n                  USAID Capitol Heights warehouse.\n\n             Both the Consolidation, Property and Services Division and Office of\n             Administrative Services management agreed with our risk assessments\n             and our suggested course of action.\n\n\n\n\n                                                                                   Page 7 of 10\n\x0c                                                                                       Appendix I\n\n\nScope and     Scope\nMethodology\n              The Office of Inspector General, Information Technology and Special\n              Audits Division, conducted a risk assessment of major functions within the\n              Consolidation, Property and Services Division of the Office of\n              Administrative Services, Bureau for Management (M/AS). This risk\n              assessment was not an audit. The risk assessment covered operations\n              principally for fiscal year 2001. The risk assessment fieldwork was\n              conducted at USAID headquarters in Washington, D.C. from October 12,\n              2001 to April 19, 2002.\n\n              Our risk assessments of the Consolidation, Property and Services Division\xe2\x80\x99s\n              major functions have the following limitations in their application.\n\n              \xe2\x80\xa2   First, we assessed risk at the major function level only, not at the\n                  Division or Office level.\n              \xe2\x80\xa2   Second, we assessed risk only. Our risk assessments were not sufficient\n                  to make definitive determinations of the effectiveness of internal controls\n                  for major functions. Consequently, we did not generally (a) assess the\n                  adequacy of internal control design, (b) determine if controls were\n                  properly implemented, and (c) determine if transactions were properly\n                  documented. If we were able to make these types of determinations\n                  within the scope of our work, we reported on them accordingly as part of\n                  our risk exposure assessments.\n              \xe2\x80\xa2   Third, higher risk exposure assessments are not definitive indicators that\n                  program objectives were not being achieved or that irregularities were\n                  occurring. A higher risk exposure simply indicates that the particular\n                  function is more vulnerable to such events.\n              \xe2\x80\xa2   Fourth, risk exposure assessments, in isolation, are not an indicator of\n                  management capability due to the fact that risk assessments consider\n                  both internal and external factors, some being outside the span of control\n                  of management.\n              \xe2\x80\xa2   Fifth, comparison of risk exposure assessments between organizational\n                  units is of limited usefulness due to the fact that risk assessments\n                  consider both internal and external factors, some being outside the span\n                  of control of management.\n\n              Methodology\n\n              We interviewed officials as well as reviewed related documentation of major\n              functions performed by the Consolidation, Property and Services Division.\n              These documents covered background, organization, management, budget,\n              relevant laws and regulations, staffing responsibilities, prior reviews,\n              internal controls, and risks (i.e., vulnerabilities). Our review of the\n                                                                                      Page 8 of 10\n\x0cConsolidation, Property and Services Division\xe2\x80\x99s documentation was limited\nand judgmental in nature and conducted principally to confirm oral\nattestations of management.\n\nWe identified the Consolidation, Property and Services Division\xe2\x80\x99s major\nfunctions using the input of the Division Director and based on the\nsignificance and sensitivity of each major function. We determined risk\nexposure for all major functions in each division, e.g., the likelihood of\nsignificant abuse, illegal acts, and/or misuse of resources, failure to achieve\nprogram objectives, and noncompliance with laws, regulations and\nmanagement policies. We assessed overall risk as high, moderate, or low. A\nhigher risk exposure simply indicates that the particular function is more\nvulnerable to its program objectives not being achieved or that irregularities\nwere occurring. We considered the following key steps in assessing risk:\n\n(a)    determined significance and sensitivity;\n(b)    evaluated susceptibility of failure to attain program goals,\n       noncompliance with laws and regulations, inaccurate reporting, or\n       illegal or inappropriate use of assets or resources;\n(c)    were alert to "red" flags such as a history of improper administration\n       or material weaknesses identified in prior audits/internal control\n       assessments, poorly defined and documented internal control\n       procedures, or high rate of personnel turnover;\n(d)    considered management support and the control environment;\n(e)    considered competence and adequacy of number of personnel;\n(f)    identified and understand relevant internal controls, and\n(g)    determined what is already known about internal control effectiveness.\n\nThese risk assessments were not sufficient to make definitive determinations\nof the effectiveness of internal controls for major functions. As part of the\nreview methodology, we did (a) identify, understand, and document (only as\nnecessary) relevant internal controls and (b) determine what was already\nknown about the effectiveness of internal controls. However, we did not\ngenerally (a) assess the adequacy of internal control design, (b) determine if\ncontrols were properly implemented, nor (c) determine if transactions were\nproperly documented. In some cases, we were able to make these assessments\nand reported on them accordingly as part our risk exposure assessments.\n\n\n\n\n                                                                     Page 9 of 10\n\x0c                                                                   Appendix II\n\nManagement\nComments\n\n\n\n                                                   July 22, 2002\n\n\n             MEMORANDUM\n\n             TO:          Melinda Dempsey, IG/A/ITSA\n\n             FROM:        Roberto J. Miranda, M/AS/OD\n\n             SUBJECT:   Risk Assessment of Major Functions Within the\n                        Consolidation, Property and Services Division of\n                        the Office of Administrative Services\n                        (Report No. A-000-02-xxx-S)\n\n                  M/AS/CPD worked closely with the Inspector General\'s\n             office on this survey believing that this assessment of\n             vulnerabilities was an opportune first step on the way to\n             the business transformation urged by the Assistant\n             Administrator for the Management Bureau. We concur in the\n             assessment of risk and recommendations.\n\n                  We are undertaking efforts to prepare an updated,\n             distinct inventory for the USAID Capitol Heights\n             warehouse. It is expected that this endeavor will take\n             approximately four months and will include separating the\n             warehouse inventory from the inventory database, analyzing\n             it and verifying it by conducting a physical inventory.\n\n                  In addition to the above recommendation, the report\n             identifies other areas and makes useful suggestions which\n             will be incorporated as well.\n\n                  In closing, M/AS/CPD appreciates the professional\n             assistance, courtesy and help of the IG staff,\n             particularly as we work to implement your\n             recommendations.\n\n\n\n\n                                                                   Page 10 of 10\n\x0c'